Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configure the certificates and Root CA

With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain computers. This is the certificate that will be used to validate RADIUS requests.

To create a computer client certificate:
  1. In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured for auto-enrollment.
  2. Link the GPO to the OU where the client computers are located.
    The computer account in Active Directory must use the attribute dNSHostName with the value of the computer's name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.
To import the Microsoft AD Root CA as a trusted CA:
  1. On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings, and click OK when complete.
    1. TypeFile.
    2. Upload: Click Upload and browse to the location of your certificate.
  2. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import. Configure the following settings, and click OK when complete.
    1. Certificate ID: Enter the certificate ID.
    2. Certificate: Click Upload a file and browse to the location of your certificate.

Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.

Configure the certificates and Root CA

With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain computers. This is the certificate that will be used to validate RADIUS requests.

To create a computer client certificate:
  1. In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured for auto-enrollment.
  2. Link the GPO to the OU where the client computers are located.
    The computer account in Active Directory must use the attribute dNSHostName with the value of the computer's name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.
To import the Microsoft AD Root CA as a trusted CA:
  1. On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings, and click OK when complete.
    1. TypeFile.
    2. Upload: Click Upload and browse to the location of your certificate.
  2. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import. Configure the following settings, and click OK when complete.
    1. Certificate ID: Enter the certificate ID.
    2. Certificate: Click Upload a file and browse to the location of your certificate.

Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.